build(deps): Bump dependabot/fetch-metadata from 2 to 3 in the gh-actions group#4
Merged
github-actions[bot] merged 1 commit intoMay 14, 2026
Conversation
Bumps the gh-actions group with 1 update: [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata). Updates `dependabot/fetch-metadata` from 2 to 3 - [Release notes](https://github.com/dependabot/fetch-metadata/releases) - [Commits](dependabot/fetch-metadata@v2...v3) --- updated-dependencies: - dependency-name: dependabot/fetch-metadata dependency-version: '3' dependency-type: direct:production update-type: version-update:semver-major dependency-group: gh-actions ... Signed-off-by: dependabot[bot] <support@github.com>
github-actions
Bot
deleted the
dependabot/github_actions/gh-actions-c22e3e74e6
branch
May 14, 2026 02:51
wolpert
added a commit
that referenced
this pull request
May 16, 2026
- ceremony: default UV to REQUIRED so WebAuthn4J enforces flagUV (#2) - ceremony: refuse the non-strict WebAuthnManager when attestation conveyance is not NONE; force operators to wire a strict manager explicitly (#3) - jwt(spring): fail-fast on HS256 secrets shorter than 32 bytes; remove the silent expand() helper that masked weak keys (#4) - jwt(micronaut): fail-fast on blank or short HS256 secrets; remove the zero-pad and random-on-blank fallbacks (#5) - persistence: make signCount updates atomic against concurrent racing assertions so clone detection cannot be silently defeated — JDBI adds AND sign_count < :sc, DynamoDB adds a conditional UpdateItem (#6) - starters: gate LoggingEmailSender / LoggingSmsSender behind dev-mode so magic-link tokens and OTP codes don't silently leak to production logs (#7) - magic-link: replace the unbounded ConcurrentHashMap of consumed JTIs with a TTL-bounded Caffeine cache; fix the Javadoc to match reality (#8) - magic-link: bind verification email to the user via UserLookup#emailFor and reject mismatches; admin service maps the new EmailMismatch result to a 400 (#9) - persistence(dynamodb): server-enforce single-use for backup-code consume and OTP consume/incrementAttempts via ConditionExpression (#10) - persistence(dynamodb): server-enforce challenge expiry in takeOnce via ConditionExpression on expiresAt instead of post-filtering in Java (#11) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
wolpert
added a commit
that referenced
this pull request
May 16, 2026
#1 — JdbiOtpRepository.incrementAttempts now unconditional; OtpService.verify uses >= #2 — BackupCodeRepository.consume returns boolean; impls atomic; race-loser → NoMatch #3 — OtpRepository.consume returns boolean; JDBI adds consumed=FALSE guard #4 — PkAuthJwtValidator rejects kid-less tokens when keyset has any kid-bearing key #5 — new ConsumedJtiStore SPI; in-memory Caffeine default; single-instance WARN #6 — startAuthentication/startRegistration always emit non-null [] credential lists #7 — new CeremonyRateLimiter SPI; default Caffeine impl; RateLimited variant; 429 #8 — JDBI/DynamoDB/InMemory repos wrap backend errors as PkAuthPersistenceException #18 — new DuplicateCredentialException extends PkAuthPersistenceException (sealed) #28 — OtpRepository.incrementAttempts returns OptionalInt; empty → NoActiveOtp Blocked: none Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the gh-actions group with 1 update: dependabot/fetch-metadata.
Updates
dependabot/fetch-metadatafrom 2 to 3Release notes
Sourced from dependabot/fetch-metadata's releases.
... (truncated)
Commits
25dd0e3v3.1.0 (#692)e073f50Merge pull request #705 from dependabot/dependabot/npm_and_yarn/hono-4.12.140670e16build(deps-dev): bump hono from 4.12.12 to 4.12.147a7fe10Merge pull request #702 from dependabot/dependabot/npm_and_yarn/dependencies-...5168191Updating dist build23882e1build(deps): bump@actions/githubin the dependencies group1072469Merge pull request #701 from dependabot/dependabot/github_actions/actions/cre...43f8a00build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1b4d904aMerge pull request #703 from dependabot/dependabot/npm_and_yarn/globals-17.5.0c8046bbbuild(deps-dev): bump globals from 17.4.0 to 17.5.0Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions